In many forms of electronic transactions, it is necessary for a device to verify a user's identity. While humans are extremely good at identifying other humans through physical characteristics and behaviors, devices are not nearly as good. Devices typically rely on a user-name/password scheme. This is a good scheme in many ways, but it puts a significant burden on the user (e.g., having to remember and manage passwords for different accounts). Additionally, passwords are not truly suited for identification, as they can be easily shared. Shared passwords are almost impossible to detect, but they do not provide a true user identification to the level desired for many applications (e-commerce, user-based DRM, etc.). Physical tokens (e.g. keys) are also a good way to gain access, but they do not necessarily prove identity. Some newer laptop computers include fingerprint sensors to aid in determining whether the proper user is trying to access the system. Currently, most of the identity management mechanisms based on physical biometrics (e.g., fingerprint, voice, hand geometric, etc.) and behavioral biometrics (e.g., signature, keystroke pattern, etc.) require the user to perform some explicit action in order to establish and/or verify their identity. For example, a user must utter some predetermined phrase when a voice recognition system is used. However, in order to provide the user with a more seamless experience, a passive means of biometric verification capable of operating in the background is needed.
One approach to passive identification, for example, is the use of location at the time of access, in addition to a person's purchase behavior, as a means to detect identity fraud. This is the way credit card companies often monitor their customer's buying habits. Data about credit card users are often collected from the information submitted by the merchants as part of the payment approval process. The collected information is typically stored in some infrastructure and analyzed for unusual activities over a period of time (to detect fraud/theft). The above method utilized by credit card companies to deter identity fraud is not well suited to identity management use cases in the mobile environment, which typically involve user identification before a transaction. Furthermore, the remote collection of data on a user raises privacy concerns, as the user has no control over what data is collected and when.
A further approach uses time and location of access as part of its determination of access rules. However, this approach only uses the actual time/location of the log-in as part of the identity management and user authentication process.